MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faa23cbf9a2c7cbbf545b14518c93af51f695d2f15c695a7770629af8f328285. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments

SHA256 hash:	faa23cbf9a2c7cbbf545b14518c93af51f695d2f15c695a7770629af8f328285
SHA3-384 hash:	32e3d775061bf4224166cbc639797524aa92f30ed2717e7377685e11d6d2b41680561ce5891385ce5dc6fa6f60ce2532
SHA1 hash:	f68f8b7293b45f9adeaf9801d9a4efad61198fff
MD5 hash:	c65df52546f1fcc2fa95e5c3a4966b29
humanhash:	oxygen-harry-uncle-fourteen
File name:	DHL Shipping Documents REF - WAYBILL 44 7611 9546.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	877'056 bytes
First seen:	2021-10-11 06:49:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:DEMIThvbG05+0kcgw3zoeUp9g+Tyi3Ng6G/w3t4RrAU7F/VTv5IF6m/:D8ih02w3zoesbyd43tErAITB
Threatray	12'065 similar samples on MalwareBazaar
TLSH	T17415E0203AFA506AFD33EE388ED4B195BB6EF7723502543AE05313464613AC1DDE257A
Reporter	abuse_ch
Tags:	AgentTesla DHL exe Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL Shipping Documents REF - WAYBILL 44 7611 9546.pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-10-11 06:55:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/33f598af-26a2-4c4e-b95c-46c470d46d75

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/196484/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25-2.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6163de9f3831960005b3de1f/reports/d53f1b74-5a33-481b-9f96-0e058a456472/overview

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/868163

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Modifies the hosts file

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/faa23cbf9a2c7cbbf545b14518c93af51f695d2f15c695a7770629af8f328285/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-10 23:57:12 UTC

AV detection:

14 of 45 (31.11%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7krdzp42fr6lx5kfwfcrrsj26upwsxjpcxdjlj3xayu27dzsqkcq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

15847f9993b6a9c7102df708444119c3b5cd47ebab19becbf4fd28f1a9dc7dd0

AgentTesla

258861524e15de729ffedb9577c48dfdd65640d2f446180c8f5e78bc9d0c9b65

AgentTesla

8c5ba3bb03e618141579283f781798366c322106055a0a40291d9d8d36e0a218

AgentTesla

abedf580a1d7f08815b89280f10f9f34ab49b69e8cb9655877b9887ac8dee83d

AgentTesla

e0a23d00156db7984951934506ee9edd0249d9a2d39e6bfb285291d510ee054f

AgentTesla

e3e139bf613e0813cfd1c3c82643986985d1ce57ce772450c196cdcce367380d

AgentTesla

+ 12'055 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211011-hly2sagefq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1881721018:AAFgjKCKDmGZSPG9IqaTLsC7W4rwVP8dqs0/sendDocument

Unpacked files

SH256 hash:

d434e7cb4105d7e760a39a1a8a1306338b00fbd6507025d53e4c44ede73d3788

MD5 hash:

6613b992e916924c3f38a179bb9866ab

SHA1 hash:

cd5741f4d0a4685c5fd9c9e2e708bbf33ec1691a

Link:

https://www.unpac.me/results/ee8ea29d-5279-4b02-a0a6-fbd48aeba9cc/

SH256 hash:

0ffd7e0463c52a8133a31a67c2594b33230458ec939741fcc8b70bbbd7519ba6

MD5 hash:

afdcb760af479cfa8a073be7508e45f5

SHA1 hash:

7f23632321345a47a3ec7a4a96dfccde3fc46f9c

Link:

https://www.unpac.me/results/ee8ea29d-5279-4b02-a0a6-fbd48aeba9cc/

SH256 hash:

678b2c6b16d91b41afbb705249994173a416280b9b842c4bc16735424847ce38

MD5 hash:

0140618142ae2ea020f7a919a42f6a35

SHA1 hash:

5014ca358552c2ad534b7850302086dd3f664223

Link:

https://www.unpac.me/results/ee8ea29d-5279-4b02-a0a6-fbd48aeba9cc/

SH256 hash:

faa23cbf9a2c7cbbf545b14518c93af51f695d2f15c695a7770629af8f328285

MD5 hash:

c65df52546f1fcc2fa95e5c3a4966b29

SHA1 hash:

f68f8b7293b45f9adeaf9801d9a4efad61198fff

Link:

https://www.unpac.me/results/ee8ea29d-5279-4b02-a0a6-fbd48aeba9cc/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/faa23cbf9a2c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/faa23cbf9a2c7cbbf545b14518c93af51f695d2f15c695a7770629af8f328285

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196484/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample